Linux-CIFS Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH 1/2] cifs: modefromsid: make room for 4 ACE
@ 2019-09-16  2:28 Aurelien Aptel
  2019-09-16  2:28 ` [PATCH 2/2] cifs: modefromsid: write mode ACE with DENY first Aurelien Aptel
  0 siblings, 1 reply; 2+ messages in thread
From: Aurelien Aptel @ 2019-09-16  2:28 UTC (permalink / raw)
  To: linux-cifs; +Cc: smfrench, Aurelien Aptel

when mounting with modefromsid, we end up writing 4 ACE in a security
descriptor that only has room for 3, thus triggering an out-of-bounds
write. fix this by changing the min size of a security descriptor.

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
---
 fs/cifs/cifsacl.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/cifs/cifsacl.h b/fs/cifs/cifsacl.h
index dd95a6fa24bf..eb428349f29a 100644
--- a/fs/cifs/cifsacl.h
+++ b/fs/cifs/cifsacl.h
@@ -45,7 +45,7 @@
  */
 #define DEFAULT_SEC_DESC_LEN (sizeof(struct cifs_ntsd) + \
 			      sizeof(struct cifs_acl) + \
-			      (sizeof(struct cifs_ace) * 3))
+			      (sizeof(struct cifs_ace) * 4))
 
 /*
  * Maximum size of a string representation of a SID:
-- 
2.16.4


^ permalink raw reply	[flat|nested] 2+ messages in thread

* [PATCH 2/2] cifs: modefromsid: write mode ACE with DENY first
  2019-09-16  2:28 [PATCH 1/2] cifs: modefromsid: make room for 4 ACE Aurelien Aptel
@ 2019-09-16  2:28 ` Aurelien Aptel
  0 siblings, 0 replies; 2+ messages in thread
From: Aurelien Aptel @ 2019-09-16  2:28 UTC (permalink / raw)
  To: linux-cifs; +Cc: smfrench, Aurelien Aptel

DACL should start with denying ACE first but we are putting it at the
end. reorder them to put it first.

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
---
 fs/cifs/cifsacl.c | 24 ++++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)

diff --git a/fs/cifs/cifsacl.c b/fs/cifs/cifsacl.c
index 3e0c5ed9ca20..28b56cb19d60 100644
--- a/fs/cifs/cifsacl.c
+++ b/fs/cifs/cifsacl.c
@@ -809,17 +809,11 @@ static int set_chmod_dacl(struct cifs_acl *pndacl, struct cifs_sid *pownersid,
 			struct cifs_sid *pgrpsid, __u64 nmode, bool modefromsid)
 {
 	u16 size = 0;
+	u32 num_aces = 0;
 	struct cifs_acl *pnndacl;
 
 	pnndacl = (struct cifs_acl *)((char *)pndacl + sizeof(struct cifs_acl));
 
-	size += fill_ace_for_sid((struct cifs_ace *) ((char *)pnndacl + size),
-					pownersid, nmode, S_IRWXU);
-	size += fill_ace_for_sid((struct cifs_ace *)((char *)pnndacl + size),
-					pgrpsid, nmode, S_IRWXG);
-	size += fill_ace_for_sid((struct cifs_ace *)((char *)pnndacl + size),
-					 &sid_everyone, nmode, S_IRWXO);
-
 	/* TBD: Move this ACE to the top of ACE list instead of bottom */
 	if (modefromsid) {
 		struct cifs_ace *pntace =
@@ -840,12 +834,22 @@ static int set_chmod_dacl(struct cifs_acl *pndacl, struct cifs_sid *pownersid,
 		pntace->sid.sub_auth[1] = sid_unix_NFS_mode.sub_auth[1];
 		pntace->sid.sub_auth[2] = cpu_to_le32(nmode & 07777);
 
-		pndacl->num_aces = cpu_to_le32(4);
 		size += fill_ace_for_sid((struct cifs_ace *)((char *)pnndacl + size),
 					 &sid_unix_NFS_mode, nmode, S_IRWXO);
-	} else
-		pndacl->num_aces = cpu_to_le32(3);
+		num_aces++;
+	}
+
+	size += fill_ace_for_sid((struct cifs_ace *) ((char *)pnndacl + size),
+					pownersid, nmode, S_IRWXU);
+	num_aces++;
+	size += fill_ace_for_sid((struct cifs_ace *)((char *)pnndacl + size),
+					pgrpsid, nmode, S_IRWXG);
+	num_aces++;
+	size += fill_ace_for_sid((struct cifs_ace *)((char *)pnndacl + size),
+					 &sid_everyone, nmode, S_IRWXO);
+	num_aces++;
 
+	pndacl->num_aces = cpu_to_le32(num_aces);
 	pndacl->size = cpu_to_le16(size + sizeof(struct cifs_acl));
 
 	return 0;
-- 
2.16.4


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-16  2:28 [PATCH 1/2] cifs: modefromsid: make room for 4 ACE Aurelien Aptel
2019-09-16  2:28 ` [PATCH 2/2] cifs: modefromsid: write mode ACE with DENY first Aurelien Aptel

Linux-CIFS Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-cifs/0 linux-cifs/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-cifs linux-cifs/ https://lore.kernel.org/linux-cifs \
		linux-cifs@vger.kernel.org linux-cifs@archiver.kernel.org
	public-inbox-index linux-cifs

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-cifs


AGPL code for this site: git clone https://public-inbox.org/ public-inbox